Method and arrangement in a communication network

ABSTRACT

The present invention relates to the problem of establishing of security that arises within an ad hoc network  
     The problem is solved by using an optical device at a first device to read a public key that is encoded to a graphical string at a second device, which key is required for establishing security.

FIELD OF INVENTION

[0001] The present invention relates to the field of communicationnetworks and more specifically to an ad hoc communication network and amethod for establishing a security association in an ad hoc network.

DESCRIPTION OF RELATED ART

[0002] The fast growth of open networks with easy access has raised manysecurity problems. Several security solutions for public networks likethe Internet have appeared. Security is a problem in all kinds of opennetworks both wired and wireless. Information transmitted over the airis extremely vulnerable. Security solutions can be based on puresymmetric key techniques or can be a combination of symmetric andasymmetric, so-called public key techniques. Common solutions today arebuilt upon some type of so called Public Key Infrastructure (PKI). Apublic key infrastructure is a system used to distribute and checkpublic keys that can be used to authenticate users, exchange sessionkeys, sign information or encrypt information.

[0003] A symmetric key establishing scheme is built on that some apriori secret is known by the involved parties in advance. In principlethere are two types of systems, key establishment between two partiessharing a common secret and key establishment by using a third party, aKey Distribution Center (KDC). A typical requirement in any securityapplication is performing mutual authentication and key exchange. If thetwo involved parties, like in the first system, are pre-configured witha common shared secret this can be obtained by using a standardsymmetric key authentication and key exchange protocol. A well-knownexample of the latter system is the Kerberos protocol. A Keberos systemis shown in a schematic block diagram in FIG. 1. A Keberos systemincludes a central authentication server, the KDC 101 and severalclients 102 and servers 103 whereof only one client 102 and one server103 is depicted in FIG. 1. When a client 102 in the network wants toexchange secure information with a server 103 in the network, a protocolthat involves communication with the KDC 101 according to the followingsteps:

[0004]104. The client 102 sends a request including random number to theKDC 101.

[0005]105. The KDC 101 replies to the client 102 with encrypted sessionkey

[0006]106. The client 102 sends the encrypted session key andauthenticator to the server 103.

[0007]107. The server 103 replies to the client 102 with anauthenticator. This step is an optional step.

[0008] The advantage with a system like the Kerberos system compared tomutual exchange is that each entity only needs to share one long livedkey with the KDC. There is no need to share keys with all parties in thenetwork. The only entity that needs to store several long-lived keys isthe KDC.

[0009] In a PKI system, two corresponding (also called asymmetric) keysare used in connection with protecting information. Information, whichis encrypted with one of the two keys, can be decrypted only with theother key. In some PKI systems either of the two keys can be used toencrypt and the other to decrypt. In other systems, one key must be usedonly for encryption and the other for decryption. One important featureof PKI systems is that it is computationally unfeasible to use knowledgeof one of the keys to deduce the other key. In a typical PKI system,each of the systems possesses a set of two such keys. One of the keys ismaintained private while the other is freely published. If a senderencrypts a message with the recipient's public key, only the intendedrecipient can decrypt the message, since only the recipient is inpossession of the private key corresponding to the published public key.If the sender, before performing the above encryption, first encryptsthe message with the senders private key, the recipient, upon performingfirst a decryption, using the recipient's private key, then a decryptionon the result, using the sender's public key, is assured not only ofprivacy but of authentication since only the sender could have encrypteda message such that the sender's public key successfully decrypts it. Inone digital signature scheme, one-way hash is first applied to a messageand the hash of the message is encrypted with the sender's private key.

[0010] A PKI distributes one or several public keys and determinewhether a certain public key can be trusted for certain usage or not. Apiece of digitally signed information is often called a certificate.Certificates are the basis upon which PKIs are built.

[0011] The degree of confidence that the recipient has in the source ofa message depends on the degree of the recipient's confidence that thesender's public key corresponds to a private key that was possessed onlyby the sender. In many current systems, a number of generally welltrusted certification authorities have been established to provide thisdegree of confidence.

[0012] A common certificate format is Standard X.509 (developed by theInternational Standards Organisation (ISO) and the Comité ConsultatifInternationale Telegraphique et Telephonique (CCITT)). Such acertificate may, e.g., include a public key, the name of subject whopossesses or is associated with the public key, an expiration date, allof which are digitally signed by a trusted party. The digital signaturemay be provided e.g., according to the digital signature standard (DSS)(National Institute of Standards and Technology (NIST)). Typically adigital signature involves applying a one-way hash and then encryptingwith the private key of, in this case, the certification authority. Suchdigital signature is provided using the private key of the trusted partywhich, in turn, is authenticated using the trusted party's certificatesigned by yet another trusted party, so that there may be a multi-levelhierarchy of trusted parties.

[0013] Another certificate format is Pretty Good Privacy (PGP) developedby P. Zimmermann and described in Internet Engineering Task Force (IETF)Open PGP Specification. PGP provides a way to encrypt and decrypt, signdata and exchange keys. Thus it is more than just a PKI. However, themain idea with PGP is that no strict PKI is needed. Instead the PGPusers themselves create and extend the PKI they need. This is done bycertifying other users public keys, i.e., signing trusted public keyswith their own secret key. In this way a “web of trust” is created. Aparticular key may have several different user IDs. Typically a user IDis an email address. If a revocation signature follows a key, the key isrevoked. A user certifies another users key by signing it with one ofthe keys of his own, which has signing capability. When signing anotherkey, different trust levels can be set, i.e., the amount of confidencethe signer has in the signed key and user ID.

[0014] Today, so-called ad hoc networks are used more and morefrequently. An ad hoc network is established temporary for a specialpurpose. There is no fixed infrastructure; the nodes are the network.The nodes within the network are often mobile and using radio links. Anad hoc network might constitute dynamic wide area connectivity insituations such as military operations, rescue and recovery operations,and remote construction sites. An ad hoc network might also constitutelocal area connectivity in situations such as temporary conferencesites, home networks and robot networks. An ad hoc network might alsoconstitute personal area networks in situations such as interconnectedaccessories, ad hoc conference table and games. The nodes might consistof e.g. mobile phones, lap tops, television sets, washing machines Insome situations like in military operations or business conferences whenthe communication between the nodes comprises secrets, it is veryimportant that a sender of a message can trust that the receiver reallyis the intended receiver.

[0015] In the previous examples, bindings between public keys and namesor authorisation are described. Several of these certificate solutionsexist in different systems. However, it is not yet described howdifferent certificates needed for different kinds of purposes areobtained. In the case of ordinary X.509 type of PKI with hierarchicalCertificate Authority (CA) structures, finding the right certificate isdone using some central on-line server or by direct transmission of thecertificate at connection set up. When using PGP either the desiredpublic key is stored locally on a machine or the device has to make aconnection to a central PGP server in order to find the desired pubickey. This works if it is possible for entities that need some type ofsecurity relation to have on-line connections to some particularservers. This is not the case for ad hoc networks. Ad hoc networks arecreated on the fly between entities that happen to be at the samephysical location.

[0016] Although all the security techniques described earlier are verypowerful and allow smooth and automatic security for many different usecases, they all have some problem when it comes to the special situationof human faces in an ad hoc network.

[0017] Three different ad hoc scenarios will illustrate the shortcomingsof the related art described above regarding ad hoc securityestablishment.

[0018] In the first scenario several people gather together in aconference room and would like to share some information. Everybody inthe conference room has a communication unit such as a laptop or aPersonal Data Assistant (PDA) with wireless access to all the otherpeople in the room. The people in the room have not been in contact witheach other previously. Now they would like to share some secretinformation using a certain application in their device. How can this beachieved?

[0019] In the second scenario, a person arrives at a new geographicallocation and comes to some vendor machine offering him or her some typeof service, e.g. like a ticket or some food. The person has a payingdevice with a wireless connection to the vendor machine. The company andthe person have no previous relation to each other. How can a persontransmit an electronic paying transaction (and thereby receive someproduct from the machine) to the vendor machine over the air interface?

[0020] Two different devices, e.g. a mouse and a Personal Computer (PC),from two different vendors are connected to each other over a wirelesslink, in the third scenario. A person would like to “pair” these twodevices so that they can communicate securely over the wireless link Howcan this be done in a user friendly and efficient way?

[0021] The symmetric key based key sharing mechanisms described above,all demands that some secret information is shared between the devicesthat want to communicate. At least there must be a secure chain like inKerberos system that can be used to create a trust relation between twodevices. A secure chain is e.g. when A and B do not trust each other,but A and C trust each other, and B and C trust each other so A and Bcan get a trust relationship via C. This is often hard to achieve forthe first and second ad hoc scenario. Anyway, it would be verycumbersome to manually enter some secret information to all devices inthe first scenario. In the third scenario it would be possible to entersome secret symmetric information into the two devices that the personwould like to “pair” This is for example what is used in the securitysolution of the Bluetooth standard. However that means that if thedevice has no input channel, e.g. a mouse, a microphone etc., it must bepre configured with the secret information and this information must bekept secret Otherwise, anybody can make a pairing of the device.Furthermore, if the security level should be kept, the secret key ofsome certain device must be kept physically apart from the device. It ishard for humans to remember several Personal Identification Number (PIN)codes or to store them in a good and secure way.

[0022] A public key based system like the ones described above do notfit well into any of the scenarios described. If it should be possibleto use a X.509 like certificate or a PGP key, a trusted party must signthe public key. In the first and second scenario it is not alwaysassumed that the parties share trusted public keys or have certificatessigned by a third party that each party trust Also in the thirdscenario, certificates and public keys can not be used without sometrust in the signature of the certificate or a public key and since thedevices can come from any source it might be very hard to administratedistribution of trusted certificates to all possible devices.

[0023] Therefore, what is further needed is a way of makingcommunications within an ad hoc network more secure.

SUMMARY OF THE INVENTION

[0024] The present invention relates to the requirement of security inan ad hoc network More particularly it relates to the problem ofestablishing of security that arises within an ad hoc network.

[0025] The problems discussed are:

[0026] The symmetric key based key sharing mechanisms described above,all demands that some secret information is shared between the devicesthat want to communicate. This is often hard to achieve in ad hocnetworks.

[0027] A public key based system like the ones described above do notfit well into ad hoc networks, since a trusted party must sign thepublic key. It is unusual that the parties in an ad hoc network sharetrusted public keys or have certificates signed by a third party thateach party trust.

[0028] Accordingly, it is an object of the present invention to unravelthe above-mentioned problem.

[0029] The solution, according to the invention is to use an opticaldevice to read a public key that is encoded to a graphical string, whichkey is required for establishing security.

[0030] An ad hoc communications network according to the inventionincludes a first device and a second device. These devices arecommunication devices, which might be a laptop, a mobile phone, aprinter, a vendor machine etc. The first device is equipped with anoptical device. The second device has a pair of keys, the key pairconstituting a secret key and a public key. The public key is hashed toa bit string which bit string is encoded to a graphical string. Thegraphical string is visible for the user of the first device. The firstdevice has a user, e.g. the owner of the first device that trusts thesecond device. The first device wishes to authenticate the seconddevice. The first device has means for reading the graphical string bymeans of the optical device and means for authenticating the seconddevice by means of the read string including the public key. An ad hoccommunications network according to this first aspect of the inventionis hereby characterised by what are the features of claim 1.

[0031] A method for establishing a security relation between a firstdevice and a second device within an ad hoc communications networkaccording to a second aspect of the invention, includes the steps of:

[0032] hashing the public key to a bit string;

[0033] encoding the bit string to a graphical string;

[0034] making the graphical string visible for the user of the firstdevice,

[0035] the first device obtaining the graphical string by means of theoptical device, and

[0036] the first device authenticating the second device by means of theobtained graphical string.

[0037] A method according to this second aspect of the invention ishereby characterised by what are the features of claim 6.

[0038] An advantage of the present invention is that it is possible toachieve the necessary security associations needed for distributing andsharing information among a group of users that happens to be at thesame physical location. There are a large amount of applications thatfits in to this scenario. Among those can be mentioned people fromdifferent companies or organisations that gather in a conference roomcan share documents with the meeting members.

[0039] Another advantage of the present invention is that the number ofmanually created trust relations between members in an ad hoccommunication network is decreased.

[0040] Yet another advantage of the present invention is that it makesit possible “pairing” devices in a secure way also in the case of adevice lacking input channel

[0041] Yet another advantage of the present invention is that since theuser physically interacts with the other device to get the trusted key,it is easier for the user to decide whether to trust a device or not.

[0042] Yet another advantage of the present invention is that due to thesimplicity of the solution, also people without much understanding ofthe rather complicated mathematics or principles of public keys, canmake secure connections with their devices.

[0043] Further scope of applicability of the present invention willbecome apparent from the detailed description given hereinafter.However, it should be understood that the detailed description andspecific examples, while indicating preferred embodiments of theinvention, are given by way of illustration only, since various changesand modifications within the spirit and scope of the invention willbecome apparent to those skilled in the art from this detaileddescription.

BRIEF DESCRIPTION OF THE DRAWINGS

[0044]FIG. 1 relates to Prior Art and is thus described above under“Description of related art”.

[0045]FIG. 1 shows a schematic block diagram of Keberos system.

[0046]FIG. 2 shows a schematic block diagram of an ad hoc communicationsnetwork according to the invention.

[0047]FIG. 3 shows a flowchart of the method according to the invention.

DESCRIPTION OF PREFFERED EMBODIMENTS

[0048] The ad hoc communications network according to the inventionconstitutes e.g. a bluetooth network or a Wireless Local Area Network(WLAN). The ad hoc network comprises devices constituting e.g. PersonalData Assistants PDAs, lap tops, mice, mobile phones, vendor machines,paying devices, etc. each device comprising communication means. Thedevices are interconnected via communication links.

[0049]FIG. 2 shows a possible scenario of an ad hoc communicationsnetwork N according to the invention. The network N comprises a firstdevice A with wireless access to other devices within the network. Thefirst device A might be e.g. laptop. The first device A is connected toan optical device O over a secured channel. The Optical device O readsinformation optically, i.e. code or text on paper or on an electronicslip, e.g. a LCD display. An example of such device is a so-called CPen™.

[0050] The first device A also has a person that uses it, a user UA,e.g. the owner of the device. The user UA wishes to communicate with asecond device B within the network N. The second device B has a wirelessaccess to other devices within the network and it might be e.g. alaptop, a vendor machine, a service device etc. The second device Bmight also have a user UB or might not, as in the case of constituting avendor machine or a service device. The second device B has one orseveral secret key-public key pairs. The public key might be containedin a certificate signed by a third party. The public key or certificatethat an arbitrary device would like to use to authenticate itselftowards the second device B and /or exchange keys, is hashed, using acryptographic strong one-way-function (see A. J. Menzes, P. C. vanOrschot and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press,1997) to a large enough (to provide enough cryptographic strength) bitstring. The bit string is mapped by a one-to-one code to a suitablegraphical string S, that is readable for the optical device O. Thegraphical string S in some way visible for the user AU and the firstdevice A, it might be printed on a card carried by the owner or user UBof the second device B, or it might be displayed on a slip, possiblyelectronic, physically attached to the second device B.

[0051] The user UA requires to create a security association between hisown first device A and the second device B. The user AU, who trusts thegraphical string S, reads the graphical string S with the optical deviceO. The user UA trusts the graphical string e.g. if it is printed on acard that he got from user UB who he knows or trusts by any other means,or by recognising a trustworthy company trademark of a vendor machine onwhich the slip, displaying the graphical string, is attached. Tosimplify for a user to trust a slip displaying a string it can beconstructed so that it is easy for a user to see that nobody hasmanipulated the slip or that there is some electronic protection of theslip that disables the second device B if somebody manipulates the slip.

[0052] The read graphical string is transmitted from the optical deviceO to the first device A in a secure way, if they are in differententities.

[0053] The first device A gets the graphical string. If later the devicereceives a public key or a certificate containing the public key thatcan be hashed to the string S, that public key or certificate will betreated as trusted.

[0054] The first device A contacts the second device B and performs thesecurity protocol. The security protocol used for authentication andshared key generation can be of any standard type like the TransportLayer Security (TLS) handshake protocol or the Internet Key ExchangeProtocol (IKE).

[0055] The first device A authenticates the second device B using thepublic key that S is a graphical string of If the second device B isable to proof that it holds a secret key corresponding to the public keythat S is a graphical string of, the second device B is trusted by thefirst device A.

[0056] It is possible for the user UA to decide for how long and to whatextend a public key corresponding to the graphical string should betrusted. In many situations this trust relation might last for a veryshort time period.

[0057] In another example, both the first and the second devices A and Bhave a respective optical device and a respective key pair encoded intoa respective graphical string being visible. So if the connectionbetween the first device A and the second device B is a mutual trustedconnection, The first and the second device A and B exchange secretsession keys using trusted public keys.

[0058] In an embodiment of the present invention the second device Bconstitutes a service device which has a network address. The servicedevice C might be a printer, a camera, a projector, a pay machine etc.The first device A which wishes to connect to the service devicerequires the network address. According to the present invention thegraphical string S is mapped to the network address of the servicedevice B. When the first device A reads the graphical string S by meansof the optical device O, it obtains the public key, but also the networkaddress of the service device B.

[0059]FIG. 3 shows a flowchart of establishing a security relationbetween a first device and a second device within an ad hoccommunications network, according to the invention in a general mode.

[0060] The first device having an optical device and the second devicehaving a pair of keys constituting a secret key and a public key.

[0061] The first device has a user that trusts the second device.

[0062] The method comprises the following steps:

[0063]301. The public key is hashed to a bit string.

[0064]302. The bit string is encoded to a graphical string.

[0065]303. The graphical string is made visible for the user of thefirst device.

[0066]304. The first device obtains the graphical string by reading thevisible optical string by means of the optical device.

[0067]305. The first device authenticates the second device by means ofthe obtained graphical string.

1. An ad hoc communications network (N) comprising a first device (A)having an optical device (O) and a second device (B) having a pair ofkeys, the key pair constituting a secret key and a public key, the firstdevice (A) having a user (U) that trusts the second device (B),characterised by the public key being hashed to a bit string, the bitstring being encoded to a graphical string (S), the graphical stringbeing visible for the user (U) of the first device (A), the first device(A) having means for obtaining the graphical string by means of theoptical device (O), the first device (A) having means for authenticatingthe second device (B) by means of the obtained string.
 2. The ad hoccommunications network according to claim 1 , characterised in that thefirst device (A) after receiving a public key from the second device(B), trusts that key if it can be hashed to the string (S).
 3. The adhoc communications network according to claim 1 , wherein the seconddevice (B) constitutes a service device having a network addresscharacterised by the graphical string being mapped to the networkaddress.
 4. The ad hoc communications network according to claim 3 ,characterised by the first device (A) having means for obtaining thenetwork address, by means of the optical device (O).
 5. The ad hoccommunications network according to claim 4 , characterised by the firstdevice (A) having means for connecting to the service device by means ofthe obtained network address.
 6. Method for establishing a securityrelation between a first device (A) and a second device (B) within an adhoc communications network (N), the first device (A) having an opticaldevice (O), the second device (13) having a pair of keys constituting asecret key and a public key, the first device (A) having a user thattrusts the second device (B), the method comprising the steps of:hashing the public key to a bit string; encoding the bit string to agraphical string (S); making the graphical string (S) visible for theuser of the first device (A), the first device (A) obtaining thegraphical string (S) by means of the optical device (O), the firstdevice (A) authenticating the second device (B) by means of the obtainedgraphical string (S).
 7. The method according to claim 6 , wherein thefirst device (A) after receiving a public key from the second device(B), trusting that key if it can be hashed to the string (S).
 8. Themethod according to claim 6 , wherein the second device (B) constitutesa service device having a network address comprising the further stepof: mapping the graphical string to the network address.
 9. The methodaccording to claim 8 , comprising the further step to be taken by thefirst device (A): obtaining the network address, by means of the opticaldevice (O).
 10. The method according to claim 9 , comprising the furtherstep to be taken by the first device (A): connecting to the servicedevice by means of the obtained network address.